Monthly Archives: March 2010

How to get money back from a bank

I’ve written enough over the years about people who tried and failed to get money back from banks after seeing transactions on their accounts that they did not recognise. Now I’ve had to go through the process myself.

I got a refund from the NatWest after a dodgy debit appeared on the credit card my wife uses. The bank’s dispute resolution mechanism turned out to be unserviceable, but we got the money back promptly when we sued them in the small claims court. The story is, I believe, an instructive one for people interested in bank security or payment systems regulation.

Continue reading How to get money back from a bank

Protecting Europe against large-scale cyber-attacks

As on two previous occasions, I’ve been acting as specialist adviser to a House of Lords Committee. This time it was the European Union Committee, who held an inquiry into “Protecting Europe against large-scale cyber-attacks”.

The report is published today and is available in PDF and in HTML. It’s been covered by The Telegraph, the BBC, the Washington Post, and on Parliament’s own TV channel. Interestingly, there’s not all that consensus on what the main story is, or quite what the recommendations were!

Continue reading Protecting Europe against large-scale cyber-attacks

Ineffective self-blocking by the National Enquirer

It used to be simple to explain how browsing works. You type a link into the browser, the browser asks a DNS server at your ISP to translate the human-friendly hostname into the IP address of the web server, and then the browser contacts the server with an HTTP request requesting the page that you want to view.

It’s not quite that simple any more — which is rather bad news for the National Enquirer, the US tabloid which decided, three years or so ago, following a brush with the UK libel laws, that it would not publish a UK edition, or allow visits to its website from the UK. Unfortunately, the Enquirer’s blocking is no longer working as effectively as it used to.

Continue reading Ineffective self-blocking by the National Enquirer

Panorama looks at unlawful filesharing

Last night’s Panorama looked at the issue of unlawful filesharing and the proposals within the Digital Economy Bill that the UK Government thinks will deal with it.

The Open Rights Group has criticised the programme for spending too long examing the differences of opinion among music makers, and too little time talking about rights — perhaps that’s an inevitable side effect for fronting the programme with Jo Whiley, a Radio One DJ. This probably increased the audience amongst the under-30s who do a great deal of the file sharing; and for whom this may be the first time that they’ve had the bill’s proposals explained to them. So lose some, win some!

The programme had a number of stunts : they slowed down the broadband of a student household (not only was their MP3 going to take 13 weeks to download, they found they couldn’t effectively look at their email). They got a digital forensics expert to look at a family’s computers, finding copies of LimeWire (tricky stuff forensics!) and portraying this as a smoking gun for unlawfulness. The same expert camped outside the student house and piggybacked on their WiFi (apparently by employing a default password on their broadband router to authorise themselves to have access).

You can also see yours truly:
Richard Clayton on Panorama
demonstrating an anonymity network (it was in fact Tor, but I’d done a little tweaking to ensure that its standard discouragement of file sharing activity didn’t have any impact) : and showing that a Bit Torrent tracker stopped recording me as being in Cambridge, but placed me at the Tor exit node in Germany instead.

I argued that as soon as large numbers of people were getting in trouble for file sharing because they were traceable — then they wouldn’t stop file sharing, but they would stop being traceable.

All in all, within the limitations of a 30-minute prime-time main-channel show, I think the Panorama team provided a good introduction to a complex topic. You can judge for yourself (from within the UK) for the next 7 days on the BBC iPlayer, or in three parts on YouTube (I’m two minutes into part 3, at least until a web blocking injunction bars your access to what might well be an infringement of copyright).

What's worrying the spooks?

As I mentioned a few days ago, the security services have some concerns about the Digital Economy Bill:

If evading blocking systems becomes a mainstream activity (and there’s said to be 6-7 million illegal file sharers in the UK) then it will be used, almost automatically, by subversive groups — preventing the spooks from examining the traffic patterns and comprehending the threat.

There seems to be some confusion about quite what is worrying the security services. Last October, The Times reported that “both the security services and police are concerned about the plans, believing that threatening to cut off pirates will increase the likelihood that they will escape detection by turning to encryption”, and this meme that the concern is encryption has been repeated ever since.

However, I think that Patrick Foster, the Times media correspondent, got hold of the wrong end of the stick. The issue isn’t encryption but traffic analysis.

Continue reading What's worrying the spooks?

Cambridge Science Festival: Science research now!

The annual Cambridge Science Festival is running during 8–21 March, where there are over 150 talks, demonstrations and other events, open to the public.

On Saturday 13th March (16:00–16:45), I will be talking about my recent work on Chip and PIN security. In the same session, there will also be presentations from Leila Luheshi on Alzheimer’s Disease, and Adrian Owen discussing his research on the awareness of brain-damage victims. The session will be hosted by The Naked Scientists.

For more details, see the event page — science research now!. The talk is free and no booking is required. It will be held in the Cockcroft Lecture Theatre.

A wrecking amendment ?

For the past few months the Digital Economy Bill (DEB) has been quietly making its way through the House of Lords. As is the way of these things, large numbers of amendments have been proposed, their lordships have had a series of mini-debates on each set of issues, and the Government have been busily amending the Bill in an attempt to fix all the things that they didn’t think through properly.

The main thrust of the DEB’s approach to dealing with unlawful file sharing of copyright material has been a “three strikes” policy. That is, should you be detected to be sharing some popular beat combo’s music without permission, then on the first two occasions you’d receive an admonishing letter, and on the third time then you would be subject to “technical measures” (ie: very slow Internet speeds) or disconnection, the latter doubtless annoying the rest of your family as they would be unable to visit DirectGov / keep up their social life / catch-up TV shows / do their homework / avoid being sacked from their work-from-home job!

However, the Government are concerned that this won’t be enough, and that unlawful sharing of copyright material might occur in new ways in future. So in clause 17 of the DEB they set out a scheme for amendment (in ways that would be decided as future circumstances required) of the Copyright, Designs and Patents Act 1988 through secondary legislation.

It is unusual to grant such open ended powers to amend primary legislation, because Parliament would be presented with an unamendable statutory instrument and invited to vote for it — no such SI has been defeated in the House of Lords since 2000, and the time before that was in 1968.

There was an outcry over the breadth of clause 17, and so the Government set out amendments to restrict it — but last week peers voted for an opposition amendment (120A) to have an alternative arrangement altogether, a regime of High Court injunctions that would force ISPs to block websites.

This is such a dumb (and dangerous) idea that it has all the characteristics of a wrecking amendment, added to the Bill just to eat up parliamentary time so that the whole Bill will fall at the dissolution for the upcoming election.

Continue reading A wrecking amendment ?

More on the SCR

Two weeks ago I posted about the Summary Care Record, a project to centralise medical records in England and Wales under the pretext that central records might be useful in emergency care. At the time, I wrote to the Cabinet Secretary asking whether it was appropriate to use taxpayers’ funds to leaflet millions of homes on a politically sensitive topic during an election campaign; I haven’t yet got a reply.

Doctors’ leaders are now alarmed. Patients are being misinformed, and opt-out is being made difficult.

The information being given to patients is false and misleading. The SCR promotional leaflet says anyone who has access to your records … must be directly involved in caring for you. However, large numbers of officials will have access. And as I already noted, the SCR isn’t as helpful in emergencies as it’s spun. Its purpose is actually different: to provide the basis for a centralised electronic patient record for everyone.

Doctors have noted that in the pilot areas, seven out of ten patients are unaware that an SCR was created for them. The patient information packs don’t contain an opt-out form; you’re supposed to phone the call centre for one. Over two hundred thousand people have downloaded an opt-out letter from; now the NHS says it wants doctors to ignore this and get everyone who wants to opt out to use this form instead (which GPs can’t order in bulk).The roll-out is rushed and displays typical incompetence: for example, some patients have been sent other patients’ letters. I am sure this story will run and run.

Evaluating statistical attacks on personal knowledge questions

What is your mother’s maiden name? How about your pet’s name? Questions like these were a dark corner of security systems for quite some time. Most security researchers instinctively think they aren’t very secure. But they still have gained widespread deployment as a backup to password-based authentication when email-based identification isn’t available. Free webmail providers, for example, may have no other choice. Unfortunately, because most websites rely on email when passwords fail, and email providers rely on personal knowledge questions, most web authentication is no more secure than personal knowledge questions. This risk has gotten more attention recently, with high profile compromises of Paris Hilton’s phone, Sarah Palin’s email, and Twitter’s corporate Google Documents occurring due to guessed personal knowledge questions.

There’s finally been a surge of academic research into the area in the last five years. It’s been shown, for example, that these questions are easy to look up online, often found in public records, and easy for friends and acquaintances to guess. In a joint work with Mike Just and Greg Matthews from the University of Edinburgh published this week in the proceedings of Financial Cryptography 2010, we’ve examined the more basic question of how secure the underlying answer distributions are to statistical guessing. Put another way, if an attacker wants to do no target-specific work, but just guess common answers for a large number of accounts using population-wide statistics, how well can she do?

Continue reading Evaluating statistical attacks on personal knowledge questions